By default, XMlPullParser will not parse objects, so you will not be exposed to such vulnerabilities. But you will have to deal with exceptions thrown when trying to parse undeclared objects. To preserve this behavior, you must ensure that XMlPullParser.FEATURE_PROCESS_DOCDECL set to false before any analysis of the document.
It is also recommended that you do not validate your XML with DTD coming from an unknown source. The best approach for this is to use the embedded DTD in your application and use it to validate XML.
You can find more information about XML Extenal Entities at the following links: